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Abstract 

In this paper, wc give a theoretical analysis for the algorithms to 
compute functional decomposition for multivariate polynomials based 
on differentiation and homogenization which are proposed by Ye, Dai, 
Lam (1999) and Faugere, Perret (2006, 2008, 2009). We show that a 
degree proper functional decomposition for a set of randomly decom- 
posable quartic homogenous polynomials can be computed using the 
algorithm with high probability. This solves a conjecture proposed by 
Ye, Dai, and Lam (1999). We also propose a conjecture such that the 
decomposition for a set of polynomials can be computed from that of 
its homogenization with high probability. Finally, we prove that the 
right decomposition factors for a set of polynomials can be computed 
from its right decomposition factor space. Combining these results 
together, we prove that the algorithm can compute a degree proper 
decomposition for a set of randomly decomposable quartic polynomi- 
als with probability one when the base field is of characteristic zero, 
and with probability close to one when the base field is a finite field 
with sufficiently large number under the assumption that the conjec- 
ture is correct. 



1 Partially supported by a National Key Basic Research Project of China and by a grant 
from NSFC. 



1 



Keywords. Functional decomposition, multivariate polynomial, ho- 
mogeneous polynomials, right factor space, cryptosystem analysis. 

1 Introduction 

Public key cryptography often relies on a hard mathematical problem. One 
of the hard mathematical problems used in cryptosystems is the functional 
decomposition problem (FDP) for multivariate polynomials [16]. The gen- 
eral FDP for multivariate polynomials has been proved NP-hard by Dick- 
erson (1989). Based on this fact, Patarin and Goubin (1997) proposed 2R 
scheme which is based on the difficulty of decomposing a set of quartic poly- 
nomials. In the original design, K denotes a finite field of q elements. The 
private key consists of: 

1. Three linear bijections r,s,t: K n — > K n . 

2. Two quadratic polynomial mappings tp,(j). K n — > K n . 
The public key consists of: 

1. The field K and n. 

2. The composition of polynomial mapping ir = toiJjoso(f)or, which is 
a set of polynomials of degree four. 

In the encryption system, the quadratic polynomials are chosen from 
the given S-boxes, which can be inverted easily. Given the composition of 
two quadratic polynomials, if we know the private key, then we can obtain 
the plaintext. Otherwise, it is difficult to invert the polynomials of degree 
four directly. So, attack on the 2R scheme is reduced to the functional 
decomposition of quartic polynomials. 

Efficient algorithms for several special forms of FDP are known. Polynomial- 
time algorithms are proposed for univariate decomposition of multivari- 
ate polynomials and multivariate decomposition of univariate polynomials 
[5, 6, 7]. Efficient algorithms for a kind of monomial decompositions of 
rational functions are proposed in [1], which is further extended to a com- 
plete decomposition algorithm for rational parametrization of ruled-surfaces 
[13, 14]. 

Ye, Dai, and Lam (1999) proposed an efficient algorithm for decomposing 
a set of n polynomials of degree four into two sets of quadratic polynomials 
[19]. The key idea of computing the FDP is to differentiate / to obtain a set 
of cubic polynomials and try to recover the right decomposition factors from 
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these cubic polynomials. The idea of differentiation introduced in [19] is a 
very powerful technique in tackling FDP of multivariate polynomials. In a 
series of papers [8, 9, 10], Faugere and Perret made significant contributions 
to this problem by integrating the idea of differentiation and fast Grobner 
basis computation. In particular, they proposed polynomial-time algorithms 
for FDP of semi-regular multivariate polynomial sets. As a consequence, 
the current known schemes based on FDP of multivariate polynomials are 
considered broken. 

As far as we know, the method based on differentiation and homogeniza- 
tion is the only efficient approach to tackle some of the general FDP. But, 
these algorithms make strong assumptions on the input polynomial sets and 
these assumptions are expected to be valid and can be removed. This paper 
focuses on the theoretical analysis of the decomposition algorithm based on 
differentiation and homogenization. The main contribution is that the al- 
gorithm can be used to compute a degree proper decomposition for a set of 
randomly decomposable quartic homogeneous polynomials with probability 
one when the base field is of characteristic zero, and with probability close 
to one when the base field is a finite field with sufficiently large number in 
polynomial time. And if the conjecture we proposed is correct, it holds for 
nonhomogeneous case. 

We show that a degree proper functional decomposition for a set of 
randomly decomposable quartic homogenous polynomials can be computed 
using the algorithm with high probability. This solves a conjecture proposed 
by Ye, Dai, and Lam (1999). We also propose a conjecture such that the 
decomposition for a set of polynomials can be computed from that of its 
homogenization with high probability. Finally, we prove that the right de- 
composition factors for a set of polynomials can be computed from its right 
decomposition factor space. Combining these results together, we prove that 
if the conjecture is correct then the algorithm can compute a degree proper 
decomposition for a set of randomly decomposable quartic polynomials with 
probability one when the base field is of characteristic zero, and with prob- 
ability close to one when the base field is a finite field with sufficiently large 
number. 

The rest of this paper is organized as follows. In section 2, we give 
the main result. In sections 3, 4 and 5, we prove our results for the three 
major steps of the algorithm. In section 6, the algorithm is given and its 
complexity is analyzed. In section 7, we conclude the paper by proposing 
two open problems. 



3 



2 Problem and main result 



In this section, we will present the problem and give the main results of the 
paper. 

Let K be a field and TZ = K[x\, . . . , x n ] the polynomial ring in indetermi- 
nates x\, . . . ,x n over K. For natural numbers u and m, the functional com- 
position of two sets of multivariate polynomials g = (gi, ... , g u )£K[x\, . . . , x m ] 
and h = (h\, . . . , h m )£lZ m is a set of polynomials in TV 1 : 

(/l) •••,/«) = (5l(^l,---,^m),---,5'n(^l,---,^m))- (1) 

That is, 

f = 9°h 

We call (7 and /i the left and right decomposition factors of / respectively. 
The decomposition is called nontrivial if both g and h contain nonlinear 
polynomials. 

The functional decomposition problem (FDP) of multivariate poly- 
nomials is the inverse of the above functional composition procedure. That 
is, given a set of u polynomials / = (/i, . . . , f u )£lZ u and a positive number 
m, to find g = (g ± , . . .,g u )£ K[x 1 , . . .,x m ] u and h = {hi, . . .,h m )£TZ m such 
that / = g o h. 

It is shown that / always has a nontrivial decomposition when m > n, 
which is easy to construct [4]. Then we assume that 1 < m < n. Moreover, 
note that in cryptosystems, the field K is usually finite and we usually 
consider the case that m = n. So in the following paper, assume that 
m = n. 

A basic idea of the differentiation approach is to compute the linear 
space generated by the right factors of / from the linear space generated by 
certain differentiations of the polynomials in /. For a polynomial sequence 
/ = (ft, ... , f u ) G 1Z U with a decomposition like (1), let 

R(f-.h) =apaji K {h 1 ,...,h n } 

be the linear space generated by hi over K, called a right factor space 
of/. 

Another idea of the approach is to use homogenization. More precisely, 
we first compute a decomposition for the homogenization of / and then try to 
recover a decomposition of / from this decomposition. Let df = max(cZyv), 
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dg = max(d gi ), dh = max(dh i )- The homogenizations of /, g, h are 
respectively defined as follows [9, 19]: 
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Then the approach proposed in [8, 9, 10, 19] can be divided into three 
major steps which will be explained later. 
Algorithm FDPMP 

• Compute a right factor space R(f*-.h*) f° r the homogenization /* of /. 

• Compute a right factor space R(f-.h) from R^*. h *y 

• Compute an FDP for / from R^. h y 

We will show that there exists a complete polynomial time algorithm for 
Step 3, while for Step 1, there exist probabilistic algorithms in certain cases. 
We will discuss Steps 1, 2, 3 in the next three sections. 

A decomposition / = g o h satisfying the following condition 

d f = d g - d h (2) 

is called a degree proper decomposition, where df, d g , and dh are the 
degrees of /, g, and h respectively. All decompositions in this paper are 
assumed to be degree proper unless mentioned otherwise. In this paper, 
we will show that the scheme FDPMP can be developed into a polynomial 
time decomposition algorithm for certain degree proper decompositions with 
high probability for random homogeneous polynomials. Here, a set of poly- 
nomials / is called random or randomly decomposable if / = g o h and 
g, h are random polynomials. 

Theorem 2.1 Let f £ K[x±, . . . , x n ] n be a set of quartic homogeneous poly- 
nomials, each polynomial is of the same degree, for n > 5, we have a poly- 
nomial time probabilistic algorithm to find a degree proper decomposition 
f = g oh for g,h G K[x±, . . . ,x n ] n . For a random decomposition f , the 
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algorithm will give correct result with probability one when K is of char- 
acteristic zero, and with probability close to one when K = F q and q is a 
sufficiently large number. 

If the conjecture proposed in Step 2 is correct, then we have the following 
theorem. 

Theorem 2.2 Let f G K[ xi,...,x n ] n be a set of polynomials with degree 
less than or equal to four, and at least one polynomial has degree four. As- 
sume that Conjecture 5.4 is correct, then, for n > 5, we have a polynomial 
time probabilistic algorithm to find a degree proper decomposition f = g o h 
for g,h G K[x±, . . . , x n ] n . For a random decomposition f, the algorithm 
will give correct result with probability one when K is of characteristic zero, 
and with probability close to one when K = F q and q is a sufficiently large 
number. 

The main idea to prove the above result is to consider the generic 
FDP. A generic polynomial of degree d in K [x\, . . . ,x n ] is of the form 

Ui 1 ...i n x 1 -^ ■ ■ ■ x l £ (i\ + • • • + i n < d) where u^...^ are indeterminates. An 
FDP / = g o h is call a generic decomposition if g and h are generic 
polynomials of degrees greater than one. 

We will show that if / = g o h is a generic FDP for two quadratic poly- 
nomials g and h, then we can compute g and h with a polynomial number 
of arithmetic operations in the coefficients fields of g and h. Furthermore, 
when the coefficients of g and h specialize to concrete values in the base field 
K, the algorithm still works with probability close to one. 

Remark 2.3 Let N = n(n + l)(n + 2). Then the coefficients of g and 
h can be considered as an element of K N . For convenience, we can also 
say that (g,h) is an element of K 2N . From the above analysis, if K is of 
characteristic zero, then the coefficients of g and h for which the algorithm 
fails to compute the decomposition g oh consists of an algebraic variety in 
K . In other words, these (g,h) is a subset of K with dimensions lower 
than 2N. In this sense, we say that the algorithm will succeed with probability 
one. If K is a finite field, we will give an estimation of the size of the failure 
subset and show that it is very small compared with N . 
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3 Compute an FDP from a right factor space 



In this section, we will show how to compute a decomposition for / from 
its right factor space efficiently. We discuss this problem first, because the 
result in this section will be used in Section 5. Also, among the three steps of 
the Algorithm FDPMP, this is the only step that has a complete solution. 

We first prove several basic properties for R(f-h)- 

Lemma 3.1 Two equivalent decompositions of f have the same right factor 
space. 

Proof. Suppose that / has two equivalent decompositions g o h = g' o h! . 
By the definition of equivalent decompositions, there exists a nonsingular 
matrix A £ GL n (K) such that h! = h ■ A. Therefore, span. K {h\, . . . , h n } = 
spaxL K {h[,...,h' n }. | 

The following result shows that the FDP of a set of polynomials can be 
reduced to the FDP of several single polynomials. Denote the set of all right 
factor spaces of F by SRf. 

Lemma 3.2 Iff = (f 1 ,..., f u ) £ TZ U , then 

SR f = ntiSR fi . (3) 

Proof. It is clear that SR f C nf =1 SR fr Assume that W £ f\f =1 SR fi 
and hi,- - • , h m be a basis of W. Then there are gi £ K[x\, • • • , x m ] such 
that fi = gi(hi, • • • , h m ). Hence W £ SRf. | 

Since computing the intersection of two linear spaces is easy, we may 
reduce the FDP of / to the FDP of a single polynomial fi. 

The approaches in [8, 19] are based on the idea of right factor space. But, 
the power of this idea is not fully explained in previous work. For instance, 
it is assumed that the rank of Rf is n in [9]. It is clear that this condition 
is not necessarily correct since h can be a set of arbitrary polynomials. For 
instance, if h = (X^ILi x 1 > x 2> ■ ■ ■ > x l) then the rank of Rf is always two for 
any decomposition / = g o h. 

The following result shows that we can recover a right decomposition 
factor for / from R(f-h) under any condition. 
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Theorem 3.3 Let B = {bi, . . . , b^} be a basis ofRrf.fA = span K {/ii, . . . , h n }. 
If dim(R(f.j l \) = k = n, then B is a right decomposition factor of f. If 
dim(Rff.f l \) = k < n, then (&i, &i, . . . , &i) is a right decomposition 

factor of f . 

Proof. Firstly, assume that dim(i?(j. fc )) = n. Since {hi, . . . ,h n } £ R(f:h) 
and B is a basis of R(f-.h) > each hi can be expressed as a linear combination 
of {bi, . . . , b n }. That is, there exists an invertible matrix P £ GL n (K) such 
that {hi, . . . ,h n ) = {bi, . . . ,b n ) ■ P. Then f = g oh = g{X ■ P) o (h ■ P" 1 ) = 
g(X • P) o (61, . . . , b n ), where X = {x%, . . . , x n ). Therefore, B is also a right 
decomposition factor of /. 

Secondly, let d\m{R^. h ^) = k < n. For the decomposition of / = g o h, 
since {hi, . . . , h n } G R(f-.h) an d B is a basis of R(f-h)-, hi = Ylj=i a i,jbj- 

Therefore, we have 



(hi, ...,h n ) = (bi, . . . ,b k ) 



( an 



\ ai k 



a n i 



a-nk 



and (aij)kxn contains a nonsingular kxk submatrix, or else dim(span^{/ii, . . . , h n }) < 
k, a contradiction. 



Suppose that 



/ an 



det 

\ aik ■ ■ 

Then (hi, . . . , h n ) = (bi, . . . , b k , h k+1 

(an ■■ 

A = 



aik 



\ 



7^0. 



akk J 
. . , h n )A, where 



akk 



V 



In-k J 
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is an n x n invertible matrix. Moreover, let 



/ 



B 



— dfc+1,2 — a fc+2,2 



4 



-<lk+2,k 



-a n ,i + 1 \ 
— «n,2 



\ Ai-fc / 

be an n x n invertible matrix. It is easy to see that 

. . . , b k , h, . . . , &i) = . . . , bit, h k+1 , ft n )J3. 

Hence, 

(Til, • ..,h n ) = (b 1 , ...,b k ,bx,.. . ^i)^" 1 ^. 

Since is nonsingular, there exists a </' such that / = g"o(pi, . . . , i>i, . . . , &i) 

which is an equivalent form of / = 50/1. So we can choose (&i, &i, &i) 

as a right decomposition factor of /. | 

Note that the last n — k elements 61 in the right factor can be replaced 
with any bi in Theorem 3.3. 

Corollary 3.4 Corresponding to a given right factor space R^.^, f has a 
unique decomposition under the relation of equivalence. 

Restricted to decomposition of quartic polynomials considered in Theo- 
rem 2.2, we have the following result. 

Theorem 3.5 Use the same assumption as Theorem 2.2. IfRff.fA is known, 
we can compute g with 0(n 3w ) arithmetic operations in the field K, where 
2 < uj < 3. 

Proof. Suppose R(f-.h) = sp&n K (hi, . . . , h}.) is known. Then a right de- 
composition factor of / is also known by Theorem 3.3. To find g, we may 
simply by solving a system of linear equations with the coefficients of g as 
indeterminates. Note that g has nC^ = 0(n 3 ) coefficients. Then we need 
0((n 3 ) w ) = 0(n 3aJ ) arithmetic operations in K to find g, where uj is the 
matrix exponent [2] to measure the complexity of solving linear equations. | 
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4 Decomposition of a set of homogenous polyno- 
mials 



In this section, we consider the decomposition of / when each polynomial 
of it is homogeneous of the same degree. More precisely, we will consider 
the following problem: "Let / be a set of quartic homogeneous polynomials. 
Find a decomposition / = goh where g, h are sets of quadratic homogeneous 
polynomials." 

We may consider the problem in two steps. First, we compute the fol- 
lowing linear space over K 

df 

V f = span K {-^:l<i<u,l<j<n}. (4) 

Since / = g o h and g consists of quadratic polynomials, it is clear that Vf 
is contained in the following linear space. 

Vf = span K {xihj : 1 < i, j < n}. (5) 

The following example shows that Vf could be a proper subset of Vf. 

Example 4.1 Let f = (xy 2 z,x 2 y 2 + xy 2 z,xy 2 z + y 2 z 2 ), g = (xz,x 2 + 
xz, xz + z 2 ), h = (xy, y 2 ,yz). It is easy to check that f = goh. We have Vf = 
sp&n K {xyz, y 2 z, yz 2 , xy 2 , x 2 y] and Vf = spa,n K {xyz, y 2 z, yz 2 , xy 2 , x 2 y, y 3 }. 
Vf is a proper subset ofVf. Later in this section, we will see that h cannot 
be recovered from its corresponding Vf in this example. 

The idea of the algorithm is to compute Vf first, then try to recover Vf 
from Vf, and finally compute R(f-h) from Vf. We will analyze the above 
procedure in the following two subsections. The problem is divided into two 
cases: u = n or u < n. 

4.1 The case when u = n 



We divide the procedure into two steps: to compute Vf from Vf and to 
recover Rif-.h) from Vf. 

A. Compute Vf from Vf 
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When u = n, Vf is generated by n 2 cubic polynomials, and dim(V/) < 
dim(Vf) < n 2 . In the next theorem, we will show that the probability for 
Vf = Vf is close to one under some conditions. The idea of the proof is 
to find a nonsingular matrix A in some indeterminates such that if a set of 
specialization of these indeterminates does not vanish \A\ then Vf = Vf. 

Theorem 4.2 For randomly chosen g and h, let f = go h. Then 

1. Vf = Vf with probability one when the field K is of characteristic zero. 

2. Vf = Vf with probability close to one when K = GF(q) and q is 
sufficiently large. 

Proof. Assume that 

fi= ^2 a kl h khi, (1 < i < n) 

l<k,l<n 

where afj*\ = df^ for 1 < k, I < n, and 



hi = ^2 bfyxkXi, (1 < i < n). 



KW<n 



Then 



Let 



f* = y afAh^ + h^). 

OXj z — ' ' OXj OXj 

3 KfcKn 3 3 



( dfi df 2 df n \ . 
Ui = —, —, ■■■ , , Vi = {Xihi,Xih 2 , ■ ■ ■ ,Xih n ) , for z = 1, • • • ,n. 

\ OXj OXj OXj ) 

Let U = {Ui,U 2 ,--- ,U n ) T and V = {Vy,V 2 ,--- ,V n ) T . Each can be 
represented by a linear combination of {x^hi, 1 < k, I < n} over K and the 
coefficients are expressions in o[ So, there exists an n 2 x n 2 matrix A 

such that U = A ■ V where the elements of A are polynomials in Uuubu,. 
We will prove the det(A) ^ 0. We make the following substitutions in A: 
a k\ = + 0* ano - frju = an< ^ denote the new matrix by A, where 
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5k t i is the Kronecker's delta. After making these substitutions, one has 
fi = Y^k i(k + an d hi = x\ for 1 < k, I, i < n. Now we have 



7p- = 4 ^(s + k) l x s x\, for i, s = 1, 



<9x 



• • • ,n, 



k=l 



which imply that for all s = 1, ■ ■ ■ , n, 



dx a 

dh 

dx s 



\ 



( 4(l + s) 4(2 + s) 
4(1 + s) 2 4(2 + s) 2 



4(n + s) \ / x s xf \ 
4(n + s) 2 



2 



|£a J \ 4(1 + s) n 4(2 + s) n ... 4(n + a) n / \ x a x\ ) 



Therefore det(^4) is the products of a constant and n Vandermonde deter- 
minants, which is nonzero. Hence det(^4) ^ 0. One can easily see that the 
total degree of det(A) in a^\,b^\ equals 2n 2 . 

When g and h specialize to concrete polynomials in K[x\, . . . , x n ] n , if A is 
invertible then each element of Vf can be represented by a linear combination 
of the elements of Vf. So, Vf = Vf. 

When K is of characteristic zero, det(A) ^ with probability one in 
the sense explained in Remark 2.3. When K = GF(q), det(A) / with 
probability at least = 9-2,1 which is close to one when q is sufficiently 
large [15]. These conclude the theorem. | 

When Vf / Vf, Ye et al proposed a heuristic method to enlarge Vf, but 
there is no theoretical guarantee that the enlarged Vf is equal to Vf [19]. 

B. Recover Rif-h) from Vf 

In this subsection, we assume that the space Vf is known and show how 
to recover R(f-h) from Vf. Given a vector space V C K\x\, ■ ■ ■ ,x n ] and a 
set S C K[x±, • • • , x n ], we define (V : S) = {/i|Vs £ S, s/i£ V}. 

By the definition of Vf, Xihj £ Vf for all i, j. Hence, hj £ (Vf : Xi), and 
then R(f -.h) != (V/ : Xj), for all i So we have 

R(f:h) C DiCViF : ^) = (Vf : L), 



where L is the linear space generated by the variables x\, . . . , x n . 
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Note that R(f-.h) Q (Vf '■ L) does not always hold. In Example 4.1, 
(Vf : L) = {yz,xy} while R(f-.h) = {u z i x D-,y 2 }- (Vf '■ L) is a proper subset 
of R(f-h)- However, by Theorem 4.2, in the general case, R(f-.h) Q (Vf : L) = 
(Vf : L) with probability one when K is of characteristic zero and close to 
one when K = GF(q) and q is sufficiently large. 

One may ask that whether R(f-h) = (Vf : L)l It is not always true as 
shown by the following example. 

Example 4.3 Let f = (x 2 y 2 ,x 4 + y 4 ), g = (xy,x 2 + y 2 ) and h = (x 2 ,y 2 ). 
(Vf : L) = sp&n K {xy , x 2 , y 2 } . R(f-.h) is a proper subset of (Vf : L). 

Ye et al proposed a conjecture which suggests that for random R(f-.h), the two 
spaces are equal with probability close to one no matter whether dim(i?(j./ l )) = 
n or dim(R/f.f l \) < n [19]. The conjecture is as follows: 

Conjecture Y[19, p319] Let be a linear space of dimension < n 
consisting of quadratic forms in n variables x±, . . . , x n , and L be the linear 
space generated by x\, . . . , x n , V = J2i<i< n x iW. For randomly chosen W, 
the probability p that (V : L) = W is very close to one when n > 2. 

It is one of the theoretical foundations of the differentiation approach. 
The authors [19] did not prove it and just gave a justification with some 
heuristic arguments. The work of Faugere and Perret is also based on this 
basic fact. When the number of (Vf : L) equals n, they regarded (Vf : L) as 
R(f-.h) m their algorithm [8, 9]. 

We will give a proof of the conjecture when n > 5. Actually, we will 
extend the conjecture into a more general case that W and L are linear 
spaces consisting of homogeneous polynomials with higher degree and give 
a proof for this extension of the conjecture. The assumption n > 5 is not 
a strict limitation since in practical usages, n is much larger than five. The 
number q is always large in 2R or 2R~ scheme [8, 9]. Before proving the 
conjecture, we need a technical lemma. Let P = (pi,-- - ,p n ) £ N n . In 
the following, we will always use X p to denote the monomial a^ 1 • • • Xn n 
and M(d! , x±, ■ ■ ■ , x n ) to denote the set of all monomials in x±, ■ ■ ■ ,x n with 
degree d! . 

Lemma 4.4 Assume that hi = J2\P\=d a p )xP G K l 

ho- 
mogeneous polynomials in x\,- ■ ■ ,x n with degree d, where i = 1, • • • , n + 1 
and Op £ K. Assume that d' < d and n > 2d. Then if {mhi\m £ 
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M(d! , xi, ■ ■ ■ , x n ), i — 1, 2, • • • ,71 + 1} are linearly dependent over K , then 
p \ will vanish a set of polynomials with total degree at most n( n+ ^, _1 ). 

Proof. Let us consider cSp as indeterminates for a moment. Assume that 
H = Yl Cm^mhi where c m ^ are indeterminates. Regarding H as a poly- 
nomial in xi, • • • ,x n , one can see that H is a polynomial with { n+ d+d'~ l ) 

(i) 

monomials whose coefficients are polynomials in c m i,a p . Setting H = 0, 
one can get a system of the equations as follows: Ac = 0, where A is a 
( n+ rf+^' _1 ) by n ( n+ ^/ _1 ) matrix with entries linearly in the dp, and c = 
(c mi ,i, • • • , Cm,j,i, ' By the computation, one can show that ( n+ ^^/ _1 ) > 
n ( n+ d /_1 ) - Hence A is of full rank if and only if {mhi\m G M(d' ,xi, ■ ■ ■ ,x n ),i = 
1, . . . , ?i + 1}, are linearly independent. To prove A is of full rank, one only 
need to prove this for a specialization of A. Since n > 2d, let hi = xf, h 2 = 
x 2 , ■ ■ ■ , K = x d , h n+ i = x x x 2 ■■■Xd + x d+ ix d+ 2 ■ ■ ■ x 2d . It leads to a spe- 
cialization of the matrix A. Denote this specialization by A. We claim 
that A is of full rank, which is equivalent to claim that the polynomials 
mx d j ,m{xi ■ ■ -x d + x d+ i ■ ■ ■x 2d ),m G M(d',xi, ■ ■ ■ ,x n ), j = l,---,n, are 
linearly independent. Assume that 

H = d "i,imxf + ^2 b m m(xi ■■■x d + x d+± ■ ■ ■ x 2d ) = 

m,i m 

where c m ^,b m G K. For convenience, denote dx 1 ^ ■ ■ ■ dx^ by dm where 
m = xf 1 ■ ■ ■ x^ 1 . One can see that 

d d+d ' (H) J *c mt i V m! G M, m!x\ ■ ■ ■ Xd / mxf and m'x d+ i ■ ■ ■ x 2d ^ mxf; 

dmxf 1 *c m ,i + *b~m' 3 m! G M s.t. m'xi ■ ■ ■ x d = mxf or m'x d+ i ■ ■ ■ x 2d = mxf; 

Qd+d' ^jj^ J ^ m h = xi ■ ■ ■ x d and V m' G M V i, mx\ ■ ■ ■ x d ^ m'xf; 

dmh 1 *c m ',i + *b m h = x d+ i ■ ■ ■ x 2d and 3 m' G M 3 z s.t. mil ■ ■ ■ x d = m'xf; 

where * denote positive integers. Since — — - = for all monomials m, 

the claim is proved. Therefore A is of full rank. Now consider the a p as 
the elements in K. If {mhi\m G M(d' , xi, ■ ■ • , x n ), % = 1, 2, • • • , n + 1} are 
linearly dependent, which implies that Ac = has a nontrivial solution, 
then ^°p^ must vanish the determinants of all n( n+d , by ^( n+ ^/ _1 ) 
submatrices of A. This completes the proof. | 
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Let h = (h\, /i2, • ' ' j h n ) where the hi are homogeneous polynomials with 
the same degrees in K [x±, ■ ■ ■ , x n ] and let dh be the degree of hi. Denote 

U(h, d!) = span K {mhi\m E M(d! , x\, ■ ■ ■ , x n ),i = 1, 2, • • • , n}. 
Let W = spa.n K {h\, • • • , h n }. Then we have 

Theorem 4.5 For randomly chosen h\, /12, • • • , h n , if d' < d^ and n > 2dh, 
then the probability p that (U(h,d') : xf) = W is one when the field K is 
of characteristic zero and close to one when K = GF(q) with q sufficiently 
large. 

Proof. Assume that hi = Yl\p\=d h a ^pX p G K[x\,--- ,x n ], where the 
af G K. Denote U = {H G U(h, d')\ xf\H}. For £\ G [7, let 

Ci = Go,ixf + Gi^xf _1 + . . . + Gd'-2,i x \ + Gd'-i^xi + Grf/ 5 j 

and 

^ = /io.i^i' 1 +hi,i x f h ~ l + ... + h dh -2,ix\ + hd h -i,iXi + h dh ,i, 

where Gq^, G± t i, . . . , Gd>,i are homogeneous polynomials in X2, ■ ■ ■ , x n with 
degree 0,1, ... ,d' respectively and ho t i, h\^, . . . , hd h) i are homogeneous poly- 
nomials in X2, ■ ■ ■ , x n with degree 0,1, ... ,d^ respectively. Since ^ Gj/ij 
i ) mod xf , we have 

^Gj/ij = ^ ( x i ~ X \Gi,ihd h ,i + G2,ihd h -\,j + . . . + Gd',jhd h -d'+i,i) 

i i 

+xf ~ 2 (G2,ihd h> i + Gs : ihd h -i t i + ■ ■ ■ + Gd',ihd h -d'+2,i^j + • • • 

+Xi (Gd'-2,ihd h ,i + Gd>-i 7 ihd h -i t i + Gd',ihd h -2,i) 

+x\ (Gd'-i,ihd h ,i + Gd',ihd h -i,i) + Gd',ihd h) ij 
= mod xf . 
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+ G d ',ih dh -d'+i,i) = 0, (6) 
+ G d > ii hd h -d , +2,i) = 0> (7) 

y~] [Gd'-2,jhd h ,j + Gd'-i,jhd h -i,i + Gg> ,jhd h -2,j) = 0, (8) 

i 

^ [Gd'-i,ih dh ,i + G d > ,ihd h -i,i) = 0, (9) 

i 

Y,Gd'^d h ,i = 0. (10) 

i 

Assume that for each 1 < k < df, {mxf \m G M(k, X2, • • • , x n ),i = 2, • • • , n} 
are linearly independent. Then by the equalities (6) - (10), one has Gj t i = 
for j = 1, ■ ■ ■ , d! and i = 1, ■ ■ ■ , n. Therefore U = Go^hi} C VF. Note 
that (U{h,d') : xf ) = F. Hence {U(h,d') : xf ) = W. By Lemma 4.4, the 
cSp such that for some k < d', {mhi\m G M(fc, X2, • • • , x n ), i = 1, • • • , n} are 
linearly dependent are the zeroes of some polynomials with degree at most 

(» " l)( n+ S" 2 ) (< (" " l)( n+ S'- 2 ) = 

Hence when K is of characteristic zero, the probability that (U(h, d') : 
xf) = W is one; when K = GF(q), the probability that (U(h, d') :xf) = W 
is at least 2—^- which is close to one when q is sufficiently large [15]. | 

Remark 4.6 In general, when K is algebraically closed, Theorem 4-5 does 
not hold for sufficiently large integer d' . For randomly chosen h±, ■ ■ ■ ,h n , the 
set of zeroes of {hi, • • • , h n } in P(i^) n_1 is empty, where P(J^) n_1 is n — 1 
dimension projective space over K . Then by the Projective Weak Nullstel- 
lensatz Theorem (Theorem 8, p. 374, [3]), there is some integer r such that < 
xi, ■ ■ ■ ,x n > r C< U(h, r — dh) >■ Let d' = r — dh- Then M(r, x±, ■ ■ ■ , x n ) C 
U(h,d'), which implies that M(dh, xi, • • • ,x n ) C (U(h,d') : xf). However, 
in general, W ^ sp&n K (M(dh,xi, • • • , x n )). 

Corollary 4.7 Conjecture Y is correct over K when n > 5, where K 
is of characteristic zero or is a finite field consisting of a sufficiently large 



Therefore, 

^ \ G\,ihd hj i + G2,ihd h -i,i + ■ ■ • 

i 

y^ [G2,ihd ht i + Gz,ihd h -i,i + ... 
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number of elements. 



As a consequence of Theorem 4.2 and Corollary 4.7, we have the following 
result. 

Theorem 4.8 If f is a random decomposition and n > 5, then (Vf : L) = 
R(f:h) with probability one when K is of characteristic zero and with proba- 
bility close to one when q is sufficiently large where K = GF(q). 

Therefore, we can recover R(j-h) from Vf directly with high probability if 
the FDP of / is randomly chosen. 

Faugere and Perret assumed that Vf = Vf in their papers, since they 
assumed that the decomposition is random, the dimension of R(f-.h) spanned 
by hi, . . . , h n is n, and dim(Vy) > dim(V/) [8]. 

Theorem 4.9 Under the same assumptions as Theorem 4-8. IfVf is known, 
we can compute R(f-h) with complexity 0(n 3uJ ) arithmetic operations in K 
with probability one when K is of characteristic zero and with probability 
close to one when q is sufficiently large when K = GF(q). 

Proof. It suffices to randomly choose a linear polynomial I in x±, . . . , x n and 
compute (Vf : I) to obtain Rif-.h)- Without loss of generality, assume that 
I = x\ + C2X2 + • • • + c n x n . Denote it by X = Mi ■ Y. 

For all / e K[x!, ...,x n ], define M t (f) = f\x=M v Y, Mf l (g) = ff| Y=M -i. x , 
where g G K[ Vl , ...,y n }. Then M^M^f) = f, and M,(/i/ 2 ) = Mi(h)Mi(h)- 
So Mi(l) = 1\ x =m v y =yi- Let Mi(V f ) = { P \x=m v y ■ for all p G Vf}. 

Then we have r G (Vf : I) rl G Vf O M t (rl) G Mi(V f ) O Mj(r)M f (Z) G 
Mi(V f ) O M,(r) G (M^Vrfj M,(Z)) M,(r) G (Mj(Vf) : yi ) r G 
M-^MKF/) : yi). That is, (Vf : /) = Mr 1 (M l (Vf) : 

So in order to compute (Vf : I), we can first transform the polynomials 
in Vf by a nonsingular coordinate substitution X = Mr Y to obtain M;(V/), 
and then compute (M/(V/) : yi). Finally, transform (Mi(Vf) : yi) to (Vy : I) 
by the inverse transformation Y = Mf l -X. The main arithmetic complexity 
relies on the computation of (Mi(Vf) : y\). 

We construct a matrix S to represent the polynomials of Mi(Vf) in 
a basis of monomials of degree three. Each row of S corresponds to the 
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coefficients of each polynomial of Mi(Vf) with respect to the monomials 
of degree three. Suppose that the monomials are sorted so that the last 
n(n + l)/2 columns of S correspond to monomials which can be divided by 
y\. Then perform linear elimination to S, we can obtain polynomials which 
can be divided by yx, denoted by ij, i = 1, . . . , k, if n > 5, then k < n [10]. 
Then (Mi(Vf) : yx) = {U/y^i = l,...,k}. Note that 5 is an n 2 x C^ +2 
matrix. Then we need 0((n 3 ) w ) = 0(n 3tJ ) arithmetic operations to compute 
(Mi(Vf) : yi). The whole arithmetic complexity of computing (Vf : /) is also 

4.2 The case when u < n 

We now consider the case of u < n. In this case, Faugere and Perret extended 
Vf and Vf to new linear spaces Vfd and Vfd'- 

Qf. 

Vf d = span^m-^- : m G M(d),l < i < u,l < j < n}, (11) 

OXj 

Vfd = span K {m'hj : m! G M(d + 1), 1 < i,j < n}, (12) 

where M{d) represents the set of monomials of degree d. It is obvious that 
Vfd Q Vfd- The authors [8, 9] required dim(Vfd) > dim(Vj^) by choosing a 
proper integer d, which means Vfd = Vfd- 

Assume Vfd is known, and try to recover R(f-h) from Vfd- By the defini- 
tion of Vfd, mhj G Vfd for all m G M(d+V) and j. Hence, hj G (Vfd : £f +1 ), 
and then C (V fd ■ xf +l ), for all i. Hence, C Hi(Vf d ■ x^ +1 ). 

The approach in [8, 9, 10] makes use of this property, and recovers R(f-h) by 
computing the quotient (Vfd '■ x^ +l ) for some i. The authors [8, 9, 10] chose 
that i = n. 

In the case that d g = dh = 2, Theorem 4.5 fails. 

However, in the general case, if the degrees of g and h are more than 2, 
then from Theorem 4.5, we can compute R(f-.h) by computing the quotient 
(Vfd :xf +1 ) whend+l<d h . 

From the above discussion, we can see that the results listed above pro- 
vide a theoretical guarantee for the previous work [8, 9, 10, 19] in certain 
sense. 
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5 Recover the decomposition of / from /* 



In this section, we study the relationship between the FDPs of a set of 
polynomials / and that of its homogenization /*. We will show that with 
high probability, we can recover a decomposition for / from a decomposition 
of /*■ 

For a general FDP / = g o h, the following result gives the connection 
between the FDP of / and the FDP of its homogenization /*. 

Lemma 5.1 If f = g o h, then x 3 h df f* = g* o h* , where d g ,dh,df are 
the degrees of g, h, f respectively. 



Proof. If / = g o h, we have d g ■ dh> df. Hence, 

,X\ X n X\ X n X\ x n 

fi{— , . . . , — ) = gi{hi{— ,.. . , — ),. . .,h n {—, — )). 

Xq Xq Xq Xq Xq X 



Then 

* 7* I d,„dh d„dh I-, ,X\ X n dndhi c^l ^n\\ 

g oh = (x Q s h ,x 9 h gi(h 1 {— ,...,—),..., x 9 h h n {— )), 

XQ Xq X Xq 

d g d h ,X\ X n , ,X\ Xfi \ \ 

■ ■ ■ , V 9u{hi{ — , — ), . . .,h n ( — , — ))) 

XO X Xq Xq 

_ f„ d 9 d h d a d h f /^l X n\ d g d h , ,Xl_ ^"n 

— yxr, , Xq ji\ )■•■) )i---iXq j u y )) 

Xq X Xq Xq 

dgd^—df, df df j, ,X\ X n » df „ ,X\ X n ^ 

— Xq [Xq ,Xq Jl{ , ),..., Xn J u { J J 

X X Xq Xq 

_ d 9 d h~df f * , 

— X Q J . | 

As a consequence, we have (/ o g)* = f* o g* if df ■ d g = dh [9, 19]. 

By a homogeneous decomposition f = g o h, we mean that each com- 
ponent of /, g, and h are homogeneous of the same degree df, d g , and dh 
respectively. It is clear that a homogenous decomposition is always degree 
proper. 

The following result gives a necessary and sufficient condition for / to 
have an FDP in terms of its homogenization /*. 

Theorem 5.2 Let f = (/i, . . . , f u ) G 7Z U . Then, f has a decomposition if 
and only if there exist natural numbers s, t such that Xq/* = g' o h' is a 
homogeneous decomposition and Xq 6 span^{/i , . . . ,h' n }. 
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Proof. If / has a decomposition / = g o h, let s = x 9 h f ,g' = g*,h' = 
h*,t = dh in Lemma 5.1. Then the conclusion holds. 

We now prove the other direction. If there are natural numbers s, t such 
that Xq/* = g'oh' is a homogeneous decomposition and Xq £ span K {h' , . . . , h' n }, 
then deg(Zi') = t, deg(g') = s+ f f , and we can choose g', h! such that x$f* 
has the following homogeneous decomposition form by Theorem 3.3: 

™s f* (*+ d l rr s+d fff Xl Xn \ *+ d f f ( X l X n\\ 

x (y — \ x o ' x o jH >•••) )}••• i x n Ju\ )•••) j) 

x x x x 

s + d j- 

= ,g[,---,g' n ) ° {xliK, . . . ,ti n )) 

and deg(g' i ) = s+ ^ f , deg(/i^) = t. Let xq = 1. We have 
/ = (/lj- ■■)/«) 

= (9i(hxi,...,x n ),... ,g' u {l,xi,.. .,x n )) o (7ti(l,xi,.. . ,x n ),. . . ,/4(l,a;i, 

which is a decomposition of /. | 

As a consequence of Lemma 5.1 and Theorem 5.2, we have 

Corollary 5.3 Let f = (fi,---,f u ) S 1Z U . Then, f has a degree proper 
decomposition if and only if there is a natural number t such that f* has a 
homogeneous decomposition f* = g'° h! and Xq £ span K {h' , . . . , h' n }. 

In order to use the idea of homogenization, we need to solve the following 
problem. 

Conjecture 5.4 For all homogeneous decompositions of f* = G o H , we 
have Xq 11 G sp&n K {Ho, . . . ,H n }. 

If the conjecture is true, we may conclude that to compute a degree 
proper decomposition of / is equivalent to compute a homogeneous decom- 
position of /*. Therefore, we can obtain a right factor space R(f -h) °f / from 
R(f*:h*) m the same way with the method in the proofs of Theorem 5.2. 

Theorem 5.5 Conjecture 5.4 has a positive answer in the field of complex 
numbers if the degrees of f* , G and H are 4,2,2 respectively and n = 2. 

Proof. In the field K = C, if G is nondegenerate, we can assume that G 
has the following standard form G = Xq + x\ + x\ by nonsingular linear 
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substitution (If G is degenerate, then we can assume that G = Xq + x\ or 
G = Xq, it is easy to see that the Conjecture holds in either case). 

Firstly, we claim that we can assume Hq = Xq + cq, Hi = b±xo + ci, and 
H2 = 62^0 + c 2 where Cj are quadratic homogeneous polynomials and hi are 
linear homogeneous polynomials in variables x\ and x-i. Since we consider 
the decomposition over the field of complex numbers, we may assume that 
Hk = OfcXQ + Gk(k = 0,1,2), where Gk does not contain Xq. Since Xq = 
Hq + H\ + iff > °o + a i + a 2 = 1- Without loss of generality, we may assume 
a\ + a? £ 0. Let tf = -22=2l= + -SpL and = - We 

have 

^ + ^i 2 = (H'of + (^) 2 

and H[ does not contain the term Xq. Repeat the above procedure one more 
time, we obtain three new polynomials H'^H'^H^ such that H" and H% 
do not contain Xq. Since Xq = Hq + H 2 + flf, we have iTg = ^0 + ^0^0 + c o- 
Comparing the coefficients of Xq, we have 60 = 0. Thus, the claim is proved. 

Since = H$ + iif + H|, we have -c (c + 2xg) = H 2 + H% = (Hi + 
iH2)(H\ — 1H2). We will discuss it in the following two cases. 

(1) When Co + 2xq is irreducible, then there exist constants a, /3 £ -?T 
such that ifi + 1H2 = a(co + 2xq), Hi — 1H2 = /3co, or H\ — 1H2 = a(co + 
2xq),Hi + ii?2 = /3co- In either case, we have Xq G span A {.Hi, #2}- 

(2) When Co + 2xq is reducible, then there exists a linear polynomial p in 
variables x\,X2 such that Co + 2xq = (v^o +p)(\/2a;o ~p) where cq = —p 2 . 

If Hi + 1H2 has a factor \/2xq +p or \f2x$ —p, without loss of generality, 
assume \^2xq+p is a factor of H1 + 1H2, then there exists constants a, (3 € K 
such that H\+iH2 = ap(\/2xQ+p) and H\—iH2 = (3p(\/2xo—p). Thenp 2 G 
span A -{f/i, H2}. Since ffo = ^o+ c o = x o~ P 2 > thenp 2 G sp&n K {Ho, H\,H2}. 

If Co + 2xq is a factor of H\ + i-ff2i then the same as the case (1), x\ G 
span K {Hi,H 2 }. 

The above discussion shows that x 2 , G span K {Ho, H\,H^. \ 
The proof of Conjecture 5.4 is still open. 



6 Algorithm and complexity 

Let / G K[ x±, . . . ,x n ] n be a set of polynomials with degrees less than or 
equal to four, and at least one polynomial has degree four. We now give the 
algorithm to find a degree proper decomposition of /. We prove that it is 
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a polynomial time algorithm with high successful probability if Conjecture 
5.4 is correct. Note that the algorithm is essentially the same as that given 
in [19]. Our main contribution is the analysis of the algorithm. 

Algorithm FDPMP4. 

Input: / G K[x\, . . . , x n ] n be a set of polynomials with degrees less 
than or equal to four, and at least one polynomial has degree four. 

Output: g,h € K[x\, . . . , x n ] n such that / = g o h is a degree proper 
decomposition of /. The algorithm may fail even if such a decomposition 
exists. 

Step 1. Let Jq(x ,x 1 , ...,x n ):= x%, f*(x Q ,xi, . . .,x n ) := x%fi(*±, ... , f^),l < 

— Q -P* 

i < n, and Vf := span^{^- : i,j = 0, 1, . . . ,n}. 

Step 2. Compute Ftff.ty := (Vf '■ as stated in the proof of Theorem 

4.9. 

Step 3. Set x = 1 in R\ f . h) to obtain R(f :h y. R(f-.h) '■= ^(/ : h)U =i- 
Step 4. Perform linear elimination to the generators of R(f -.h) to obtain 

a basis (hi, . . . , hk) of R(f-h)- If = n, then h = (hi, . . . , h n ); otherwise 

h = (hi, . . . , h k , hi, . . . , hi). 

Step 5. Compute the coefficients of g by solving a system of linear 

equations as shown in Theorem 3.5. 

Theorem 6.1 Algorithm FDPMP4 needs 0(n 3uJ ) arithmetic operations 
in the field K, where 2 < uj < 3. For a random decomposition f, the 
algorithm computes the decomposition with probability one when K is of 
characteristic zero, and with probability close to one when K = GF(q) q 
is a sufficiently large number under the assumption that Conjecture 5.4 is 
correct. 

Proof. Assume that Conjecture 5.4 is correct, the complexity of the 
whole algorithm depends on Step 2 and Step 5, both of them cost 0(n 3uJ ) 
arithmetic operations by Theorem 3.5 and Theorem 4.9. Then we have a 
polynomial time algorithm to find a degree proper decomposition / = g o h 
for g,h £ K[xi, . . . ,x n ] n with probability one when K is of characteristic 
zero, and with probability close to one when K = GF(q) q is a sufficiently 
large number. | 

This proves Theorem 2.2. 
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7 Conclusion and problems 



In this paper, we give a theoretical analysis for the approaches of computing 
functional decomposition for multivariate polynomials based on differentia- 
tion and homogenization proposed in [8, 9, 10, 19]. We show that a degree 
proper functional decomposition for a set of quartic homogenous polynomials 
can be computed using the algorithm with high probability from randomly 
decomposable polynomials. We proposed a conjecture such that the decom- 
position for a set of polynomials can be computed from its homogenization 
with high probability. Finally, we prove that the right decomposition factors 
for a set of polynomials can be computed from its right decomposition factor 
space. Combining these results together, we show that the algorithm can 
compute a degree proper decomposition for a set of quartic randomly de- 
composable polynomials with high probability if the conjecture we proposed 
is correct. Conjecture 5.4 seems to be correct while it is unsolved. 

Despite of the significant progresses, the general FDP for multivariate 
polynomials is widely open. Some of the basic problems related to FDP 
of multivariate polynomials are not resolved. We will give two basic open 
problems below. 

The first problem is about the existence of an algorithm for FDP. 

Problem 7.1 Given f € lZ n , to find an FDP for f is decidable or not. 

Note that in a decomposition / = g o h, the degrees of g and h could be 
arbitrarily high. Consider the following two transformations: 



where p is a polynomial in X2,---,x n of any degree. Then T\ o T 2 = 
(xi, . . . ,x n ). For any decomposition f = g o h, f = (g ° T\) o (T 2 o h) is 
also a decomposition of /. Therefore, one way to solve Problem 7.1 is to 
find the smallest possible degrees of g and h if a decomposition exists. 

The second problem is about the computational complexity of FDP. In 
this aspect, even the simplest case is not resolved. 

Problem 7.2 Let f £ lZ n be a set of quartic polynomials. Estimate the 
complexity of computing an FDP of f over a finite field K = F q . In partic- 
ular, does there exist a polynomial-time algorithm for Boolean polynomials? 



T-2 



: (xi,... 
: Oi, . . . 



X n ) => {Xl +P,X 2 ■ ■ ■ ,X n ) 
X n ) Ol -p,X 2 ...,X n ) 
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Remark: Faugere et al [11] also proved the correctness of section 4 
of our paper, but the corresponding part of our work was independently 
finished and used a different method. 
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